Networking

如果使用直接 IP 而不是除了 Host 標頭之外的域,HTTP 伺服器可能會返回不同結果的一些原因是什麼?

  • June 17, 2020

在某些情況下,有一個 HTTP(s) 伺服器有一些我正在嘗試代理的資產,我需要使用 IP 地址而不是域來這樣做。經過一些故障排除後,我意識到如果我發出 HTTP 請求,我https://202.100.200.152/sushi/會得到響應,並且只有在使用域時才會得到我想要的響應https://sp.water.contoso.com/sushi/

我確定 HTTP(s) 伺服器前面有一個代理,可以在整個地方路由連接。我無法訪問此伺服器,所以我認為它是一個黑匣子。我想也許它會通過主機頭檢查域,但是當我覆蓋它時它仍然不起作用。

我想知道除了 HOST 標頭之外還有哪些其他因素導致我沒有得到我想要的響應。

我用 CURL 模擬了BAD響應:

curl -k -v -I -H 'Host: sp.water.contoso.com'  https://202.100.200.152/sushi/
*   Trying 202.100.200.152...
* TCP_NODELAY set
* Connected to 202.100.200.152 (202.100.200.152) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
 CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=*.water.contoso.com
*  start date: Feb 11 18:53:34 2020 GMT
*  expire date: Feb 10 18:53:35 2022 GMT
*  issuer: CN=ingress-operator@3582449223
*  SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.
> HEAD /sushi/ HTTP/1.1
> Host: sp.water.contoso.com
> User-Agent: curl/7.64.1
> Accept: */*
> 
* HTTP 1.0, assume close after body
< HTTP/1.0 503 Service Unavailable
HTTP/1.0 503 Service Unavailable
< Pragma: no-cache
Pragma: no-cache
< Cache-Control: private, max-age=0, no-cache, no-store
Cache-Control: private, max-age=0, no-cache, no-store
< Connection: close
Connection: close
< Content-Type: text/html
Content-Type: text/html

< 
* Excess found in a non pipelined read: excess = 3131 url = /sushi/ (zero-length body)
* Closing connection 0
* TLSv1.2 (OUT), TLS alert, close notify (256):

然後是CURL的GOOD響應

curl -v -I -k  https://sp.water.contoso.com/sushi/
*   Trying 202.100.200.152...
* TCP_NODELAY set
* Connected to sp.water.contoso.com (202.100.200.152) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
 CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: C=US; ST=CA; L=Silicon Valley; O=Cupcake; OU=contoso Data Platform; emailAddress=contoso-adp@us.contoso.com; CN=contoso-Data-and-AI
*  start date: Oct 29 04:33:35 2019 GMT
*  expire date: Jan 30 04:33:35 2022 GMT
*  issuer: C=US; ST=CA; L=Silicon Valley; O=Cupcake; OU=contoso Data Platform; emailAddress=contoso-adp@us.contoso.com; CN=contoso-Data-and-AI
*  SSL certificate verify result: self signed certificate (18), continuing anyway.
> HEAD /sushi/ HTTP/1.1
> Host: sp.water.contoso.com
> User-Agent: curl/7.64.1
> Accept: */*
> 
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Server: openresty
Server: openresty
< Date: Wed, 17 Jun 2020 17:46:01 GMT
Date: Wed, 17 Jun 2020 17:46:01 GMT
< Content-Type: text/html; charset=UTF-8
Content-Type: text/html; charset=UTF-8
< Content-Length: 266
Content-Length: 266
< Connection: keep-alive
Connection: keep-alive
< X-Powered-By: Express
X-Powered-By: Express
< Accept-Ranges: bytes
Accept-Ranges: bytes
< Cache-Control: public, max-age=0
Cache-Control: public, max-age=0
< Last-Modified: Tue, 02 Jun 2020 21:26:35 GMT
Last-Modified: Tue, 02 Jun 2020 21:26:35 GMT
< ETag: W/"10a-17276edcaf8"
ETag: W/"10a-17276edcaf8"
< X-Frame-Options: DENY
X-Frame-Options: DENY

< 
* Connection #0 to host sp.water.contoso.com left intact
* Closing connection 0

從 CURL 輸出中可以看出,兩者都使用相同的 IP,並且>部分錶明它們發送相同的標頭。伺服器返回不想要的頁面的一些可能原因是什麼?

這裡的原因是當您向 IP 地址發出請求時,TLS Server Name Indication 欄位包含主機的 IP 地址,而不是域。

您正在連接的伺服器為 IP 地址和不同的域名定義了不同的虛擬主機。為 IP 地址定義的虛擬主機不提供您正在尋找的服務。

為了使用 curl 發送正確的 TLS 伺服器名稱指示欄位,您需要使用以下--resolve參數:

curl --resolve sp.water.contoso.com:443:209.100.200.152 https://sp.water.contoso.com/sushi/

這將告訴伺服器應該與sp.water.contoso.com虛擬主機建立 TLS 連接,而不是 IP 地址。

添加 HTTPHost標頭僅對 HTTP 協議有效。

引用自:https://serverfault.com/questions/1021925